WRONG THREAT MODEL: The original purpose of password expiration was based on an old and outdated threat model. It was estimated it took 90 days for the average computer to crack the average password. Fast forward to today and that threat model has radically changed. First, most of today's "average" or "bad" passwords can be cracked in the cloud in mere seconds. Second, the greatest risk to your password is not cracking but password harvesting, such as cyber criminals infecting your computer with keystroke loggers, data harvesting via phishing websites, people sharing or reusing passwords, social engineering attacks over the phone, SMS texting or numerous other methods. Long story short, the threat model has changed, if your password is compromised it will almost certainly be in seconds, not months. And when the bad guy gets your password, they are not going to wait the required "90 days", they are going to leverage it right away.